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Gavin Lowe 

We consider models of CSP based on recording what events are available as possible alternatives to 
the events that are actually performed. We present many different varieties of such models. For each, 
we give a compositional semantics, congruent to the operational semantics, and prove full abstraction 
and no-junk results. We compare the expressiveness of the different models. 

1 Introduction 

In this paper we consider a family of semantic models of CSP Ifl3l that record what events a process 
makes available as possible alternatives to the events that are actually performed. For example, the 
models will distinguish a -> STOP □ b -> STOP and a -4 STOP n b -> STOP: the former offers its 
environment the choice between a and b, so can make a available before performing b; however the 
latter decides internally whether to offer a or b, so cannot make a available before performing b. 

A common way of motivating process algebras (dating back to ID) is to view a process as a black 
box with which the observer interacts. The models in this paper correspond to that black box having a 
light for each event that turns on when the event is available (as in OSJ); the observer can record which 
lights turn on in addition to which events are performed. 

I initially became interested in such models by considering message-passing concurrent program- 
ming languages that allow code to test whether a channel is ready for communication without actu- 
ally performing the communication. In [7], I considered the effect of extending CSP with a construct 
"if ready a then P else Q" that tests whether the event a is ready for communication (i.e., whether this pro- 
cess's environment is ready to perform a), acting like P or Q appropriately. The model in [7] recorded 
what events were made available by a process, in addition to the events actually performed. We investi- 
gate such models more fully in this paper. We show that — even without the above construct — there are 
many different variations, with different expressive power. 

By convention, a denotational semantic model of CSP is always compositional, i.e., the semantics of 
a composite process is given in terms of the semantics of its components. Further, there are several other 
desirable properties of semantic models: 

Congruence to the operational semantics The denotational semantics can either be extracted from the 
operational semantics, or calculated compositionally, both approaches giving the same result; 

Full abstraction The notion of semantic equivalence corresponds to some natural equivalence, typically 
defined in terms of testing; 

No-junk The denotational semantic domain corresponds precisely to the semantics of processes: for 
each element of the semantic domain, we can construct a corresponding process. 

Each of the semantic models in this paper satisfies these properties. 

In Section |2] we describe our basic model. We formalise the notion of availability of events in terms 
of the standard operational semantics. We then formalise the denotational semantic domain, and explain 
how to extract denotational information from the semantics. We then give a congruent compositional 
denotational semantics, and prove full abstraction and no-junk results. 
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In Section[3]we describe variations on the basic model, in two dimensions: one dimension restricts the 
number of observations of availability between successive standard events; the other dimension allows 
the simultaneous availability of multiple events to be recorded. For each resulting model, we describe 
compositional semantics, and full abstraction and no-junk results (we omit some of the details because 
of lack of space, and to avoid repetition). We then study the relative expressive power of the models. 

Finally, in Section 01 we discuss various aspects of our models, some additional potential models, 
and some related work. 

Overview of CSP We give here a brief overview of the syntax and semantics of CSP; for simplicity and 
brevity, we consider a fragment of the language in this paper. We also give a brief overview of the Traces 
and Stable Failures Models of CSP. For more details, see ll6l[T3Tl. 

CSP is a process algebra for describing programs or processes that interact with their environment 
by communication. Processes communicate via atomic events, from some set £. Events often involve 
passing values over channels; for example, the event c.3 represents the value 3 being passed on channel c. 

The simplest process is STOP, which represents a deadlocked process that cannot communicate with 
its environment. The process div represents a divergent process that can only perform internal events. 

The process a — > P offers its environment the event a; if the event is performed, it then acts like P. 
The process clx — > P is initially willing to input a value x on channel c, i.e. it is willing to perform any 
event of the form c.x; it then acts like P (which may use x). Similarly, the process la : A — > P is initially 
willing to perform any event a from A; it then acts like P (which may use a). 

The process P □ Q can act like either P or Q, the choice being made by the environment: the en- 
vironment is offered the choice between the initial events of P and Q. By contrast, P n Q may act like 
either P or Q, with the choice being made internally, not under the control of the environment; |~1 , X P X 
nondeterministically acts like any P x for x in X. The process P > Q represents a sliding choice or timeout: 
it initially acts like P, but if no event is performed then it can internally change state to act like Q. 

The process P A \\ B Q runs P and Q in parallel; P is restricted to performing events from A; Q is 
restricted to performing events from B; the two processes synchronise on events from A n B. The process 
P 1 1 1 Q interleaves P and Q, i.e. runs them in parallel with no synchronisation. 

The process P\A acts like P, except the events from A are hidden, i.e. turned into internal, invisible 
events, denoted z, which do not need to synchronise with the environment. The process represents 
P where events are renamed according to the relation R, i.e., P[[R]\ can perform an event b whenever P 
can perform an event a such that aRb. 

Recursive processes may be defined equationally, or using the notation iiX* P, which represents a 
process that acts like P, where each occurrence of X represents a recursive instantiation of ii X • P. 

Prefixing (— >■) binds tighter than each of the binary choice operators, which in turn bind tighter than 
the parallel operators. 

CSP can be given both an operational and denotational semantics. The denotational semantics can 
either be extracted from the operational semantics, or defined directly over the syntax of the language; 
see |[T3l . It is more common to use the denotational semantics when specifying or describing the be- 
haviours of processes, although most tools act on the operational semantics. A trace of a process is a 
sequence of (visible) events that a process can perform. If tr is a trace, then tr \ A represents the restric- 
tion of tr to the events in A, whereas tr\A represents tr with the events from A removed; concatenation 
is written A* represents the set of traces with events from A. A stable failure of a process P is a 
pair (tr,X), which represents that P can perform the trace tr to reach a stable state (i.e. where no internal 
events are possible) where X can be refused, i.e., where none of the events of X is available. 
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2 Availability information 

In this section we consider a model that record that particular events are available during an execution. 
We begin by extending the operational semantics so as to formally define this notion of availability. We 
then define our semantic domain — traces containing both standard events and availability information — 
with suitable healthiness conditions. We then present compositional trace semantics, and show that it is 
congruent to the operational semantics. Finally, we prove full abstraction and no-junk results. 

We write offer a to record that the event a is offered by a process, i.e. a is available. We augment 
the operational semantics with actions to record such offers (we term these actions, to distinguish them 
from standard events). Formally, we define a new transition relation — > from the standard transition 
relation — > (see H3j Chapter 7]) by: 



P^>Q P^Q, forae£u{T}, />%> ^ P-±+. 

offer a b 

For example: a -> STOP Ub^ STOP =-> a -> STOP Ob-> STOP — > STOP. Note that the transi- 



tions corresponding to offer actions do not change the state of the process. 

We now consider an appropriate form for the denotational semantics. One might wonder whether it 
is enough to record availability information only at the end of a trace (by analogy to the stable failures 
model). However, a bit of thought shows that such a model would be equivalent to the standard Traces 
Model: a process can perform the trace tr^ {offer a) precisely if it can perform the standard trace fr"~" (a). 

We therefore record availability information throughout the trace. For convenience, for A C £, we 
define 



We define an availability trace to be a sequence tr in (27)*. We can extract the traces (of £' actions) 
from the operational semantics (following the approach in |[T3l Chapter 7]): 

Definition 1 We write P \—} Q, for s = (<X\ (Xn) £ (I tT )*, if there exist Pq = P,Pi,. . . ,P n = Q such 

that Pi -^H> P i+1 for i = 0, . . . ,n - 1 . We write P =^4> Q, for tr G (I 1 ")*, if there is some s such that P^Q 
and tr = s \ x. 

Example 2 The process a — > STOP □ b — > STOP has the availability trace (offer a, b). However, the 
process a — > STOP l~l b — > STOP does not have this trace. This model therefore distinguishes these two 
processes, unlike the standard Traces Model. 

Note in particular that we may record the availability of events in unstable states (where T events are 
available), by contrast with models like the Stable Failures Model that record (un)availability information 
only in stable states. The following example contrasts the two models. 

Example 3 The processes a — > STOP and a — > STOP n STOP are distinguished in the Stable Failures 
Model, since the latter has stable failure ((), {a}); however they have the same availability traces. 

The processes (a ->■ STOP t>b^ STOP) n [b ->■ STOP >a^ STOP) and a -)• STOP Ub^ STOP are 
distinguished in the Availability Traces Model, since only the former has the availability trace (offer a, b); 
however, they have the same stable failures. 

The availability-traces of process P are then {tr \ P ==>}. The following definition captures the 
properties of this model. 

Definition 4 The Availability Traces Model stf contains those sets T C {!))* that satisfy the following 
conditions: 



a 



offer A = {offer a \ a G A} 



A 1 =AUofferA, A tT =A t U{r}. 
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1. T is non-empty and prefix-closed. 

2. offer actions can always be remove from or duplicated within a trace: 

tr^ {offer a)" ~tr G T => tr" ~ (offer a, offer a)" ^ tr G P A tr^tr' G P. 

3. If a process can offer an event it can perform it: tr^ (offer a) G P => fr'" (a) G P. 

4. If aprocess can perform an event it can first offer it: tr""' (a)^ tr' G P tr^ (offera,a)'~~tr' G P. 

Lemma 5 For all processes P, {fr | P =^} is an element of the Availability Traces Model, i.e., satisfies 
the four healthiness conditions. 

Compositional traces semantics We now give compositional rules for the traces of a process. We write 
traces a [P] for the traces of P^. Below we will show that these are congruent to the operational definition 
above. 

STOP and div are equivalent in this model: they can neither perform nor offer standard events. The 
process a — > P can initially signal that it is offering a; it can then perform a, and continue like P. 

traces A ISTOP} = traces A [div]] = {(}} 

tracesA \a -> P] = {offer a}* U {tr^ (a)""tr' \ tr G {offer a}* A tr' G traces A [Pj}. 

The process P o Q can either perform a trace of P, or can perform a trace of P with no standard 
events, and then (after the timeout) perform a trace of Q. The process P H Q can perform traces of either 
of its components; the semantics of replicated nondeterministic choice is the obvious generalisation. 

traces a \P > <2j = traces A {P} U {tr P ^tr Q \ tr P G traces A \P\ Mr P \ E = () A tr Q G traces A [21}, 
traces a [P n <2j = ?races A [Pj U traces A [£2j , 
traces A in ieI Pii = |J. £/ fraces^ [P,-J. 

Before the first visible event, the process P O Q can perform an offer a action if either P or Q can do 
so. Let fr 1 1 1 fr' be the set of ways of interleaving tr and ?r' (this operator is defined in [ 13 , page 67]). The 
three sets in the definition below correspond to the cases where (a) neither process performs any visible 
events, (b) P performs at least one visible event (after which, Q is turned off), and (c) the symmetric case 
where Q performs at least one visible event. 

traces a \P □ Q} = 

{tr \3tr P e traces a [P] , tr Q G traces A [<2j • tr P \ I = tr Q \ E = () A tr G tr P \ \ \ tr Q } U 
{tr^ (a)^ tr'p | 3tr P " (a)^tr' P G tracesA [P],frg G tracesA [<2] • 

tr P \ E = tr Q \ E = () A a G E A tr G tr P \ \ \ tr Q } U 
{tr^ (a)"~ tr'g \ 3tr P G tracesA \P\,trQ^ (a)^ tr'g G tracesA \Q\ • 

fr P ] E = tr Q \ E = () A a G E A tr G //> 1 1 1 tr Q }. 

In a parallel composition of the form P A \\ B Q, P is restricted to actions from A^, and Q is restricted 
to actions from . Further, P and Q must synchronise upon both standard events from AHB and offers 

of events from AflB. We write tr P \ I trQ for the set of ways of synchronising tr P and trQ on actions 

(Ans)t 



We include the subscript "A" in traces^ \P\ to distinguish this semantics from the standard traces semantics, traces \P\. 
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from (AC\ B)^ (this operator is defined analogously to in |[T3l page 70]). The semantics of interleaving is 
similar. 

tmcesA \P a \\b Qi = i tr I 3frp G tracesA [Pj fl (A 1 ") Vq G traces^ \Q\ P (S t )* • ?r G frp || fr e }. 

(AnB) + 

traces a \P\\\Q\ = {tr | 3 ?rp G traces a \P\ , G traces a \Q\ * tr £ trp \ \\ &q} . 

The semantic equation for hiding of A captures that offer A actions are blocked, and A events are in- 
ternalised. For relational renaming, we lift the renaming to apply to offer actions, i.e. (offer a) R (offer b) 
if and only if aRb; we then lift the relation to traces by pointwise application. The semantic equation is 
then a further lift of R. 

traces a \P\A\ = {tr P \ A\tr P £ traces A {Pj A tr P \ offer A = (}}. 
traces a {P [[R]]j = {tr \ 3tr P G traces A {Pj • tr P Rtr}. 

We now consider the semantics of recursion. Our approach follows the standard method using com- 
plete partial orders; see, for example, |[T3l Appendix A.l]. 

Lemma 6 The Availability Traces Model forms a complete partial order under the subset ordering C, 
with traces a [div] as the bottom element. 

Lemma 7 Each of the operators is continuous with respect to the C ordering. 

Hence from Tarski's Theorem, each mapping F definable using the operators of the language has a least 
fixed point given by \J n ^QF n (d\v). This justifies the following definition. 

traces a ll^X • F(X)^ = the C-least fixed point of the semantic mapping corresponding to F. 

The following theorem shows that the two ways of capturing the traces are congruent; it can be 
proved by a straightforward structural induction. 

Theorem 8 For all traces tr G (Z 1 ")*: tr G traces A (Pj iff P =^ . 

Theorem 9 For all processes, tracesA IP} is a member of the Availability Traces Model (i.e., it satisfies 
the conditions of Definition 0]). 

Full abstraction We can show that this model is fully abstract with respect to a form of testing in 
the style of 1101 . We consider tests that may detect the availability of events. Following Q, we write 
ready a & T for a test that tests whether a is available, and if so acts like the test T. We also allow a test 
SUCCESS that represents a successful test, and a simple form of prefixing. Formally, tests are defined 
by the grammar: 

T ::= SUCCESS \ a -> T \ readya&T. 

We consider testing systems comprising a test T and a process P, denoted T || P. We define the seman- 
tics of testing systems by the rules below; co indicates that the test has succeeded, and Q. represents a 
terminated testing system. 
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_ offer a 

Q P P 



a^T\\P^T\\Q readya&r||P ^ T\\P 

We say that P may pass the test T, denoted P may T, if T \\ P can perform ft) (after zero or more Ts). 

We now show that if two processes are denotationally different, we can produce a test to distinguish 
them, i.e., such that one process passes the test, and the other fails it. Let tr € (Z^)*. We can construct a 
test T tr that detects the trace tr. 

Tq = SUCCESS, 

T( a )~tr = a ^ T tn 
T{ ffera)-tr = readya&T tr . 

The following lemma can be proved by a straightforward induction on the length of tr. 
Lemma 10 For all processes P, P may T tr if and only if tr € traces a [P]. 

Theorem 11 tracesA \P\ = tracesA [<2] if and only if P and Q pass the same tests. 

Proof: The only if direction is trivial. If traces a \P\ 7^ traces a \Q\ then without loss of generality suppose 
tr € traces a \P\ — traces a \Q\; then P may T tr but not Q may T tr . □ 
We now show that the model contains no junk: each element of the model corresponds to a process. 



Theorem 12 Let T be a member of the Availability Traces Model. Then there is a process P such that 
traces a \P\ = T. 

Proof: Let tr be a trace. We can construct a process P tr as follows: 

Pq = STOP, 

P(a)~tr = a ~ * Ptr: 
P(offera)- tr = « div > P tr . 

Then the traces of P tr are just tr and those traces implied from tr by the healthiness conditions of Defini- 
tion |H Formally, we can prove this by induction on tr. For example: 

• The traces of P/ a \^ tr are prefixes of traces of the forrrd (offer of" "(a)'" tr' ', where k ^ and tr 1 
is a trace of P tr . Hence (by the inductive hypothesis) tr' is implied from tr by the healthiness 
conditions. Thus {a)^tr ! is implied from (a)^tr. Finally (offer a) k ^ (a)^tr ! is implied from (a}^tr 
by k applications of healthiness condition |4] 

• The traces of P( ffera)~tr are °f two forms: 

- Prefixes of traces of the form (offera) k ^ (a), which is implied from (offer a) by healthiness 
conditions |2] and [3] 

- Traces of the form (offer a) k ^ tr' where tr' is a trace of P tr . Hence (by the inductive hypoth- 
esis) tr' is implied from tr by the healthiness conditions. And so (offer a) k ^tr' is implied 
from (offer a) ^tr by healthiness condition [2] 

Then P = [~| T Ptr is such that traces A \P\ = T. □ 



2 We write (offer a) k to denote a trace containing k copies of offer a. 
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3 Variations 

In this section we consider variations on the model of the previous section, extending the models along 
essentially two different dimensions. We first consider models that place a limit on the number of offer 
actions between consecutive standard events. We then consider models that record the availability of 
sets of events. Finally we combine these two variations, to produce a hierarchy of different models with 
different expressive power (illustrated in FigureQ]). For each variant, we sketch how to adapt the semantic 
model and full abstraction result from Section [2] We concentrate on discussing the relationship between 
the different models. 

3.1 Bounded availability actions 

Up to now, we have allowed arbitrarily many offer actions between consecutive standard events. It turns 
out that we can restrict this. For example, we could allow at most one offer action between consecutive 
standard events (or before the first event, or after the last event). This model is more abstract than the 
previous; for example, it identifies the processes 

(a -> STOP ab^ STOP) n(a^ STOP □ c -»• STOP) n (b -»• STOP □ c -> STOP) 

and 

(a -> STOP □ Zf -> STOP □ c -> STOP), 

whereas the previous model distinguished them by the trace (offer a, offer b,c). 

More generally, we define the model that allows at most n offer actions between consecutive 
standard events. Let Obs n be the set of availability traces with this property. Then the model s/ n 
is the restriction of s$ to Obs„, i.e., writing traces^.n for the semantic function for srf n , we have 
traces A, n \P\ = traces a |P] n Obs n . In particular, s^q is equivalent to the standard traces model. 

The following example shows that the models become strictly more refined as n increases; further, 
the full Availability Traces Model srf is finer than each of the approximations s$ n . 

Example 13 Consider the processes 

P Q = STOP 
P n+1 = ( a -»■ STOP nb-> STOP) > P n . 

Suppose n is non-zero and even (the case of odd n is similar). Processes P„ and P n +\ can be dis- 
tinguished in model srf n and model srf , since only P n +i has the trace (offer a, offer b, offer a, offer b, 
. . . , offer a, offer b, a) with n offer actions. However, these processes are equal in model s# n -\. 

Following Roscoe fl31l . we write M <M' if model M' is finer (i.e. distinguishes more processes) than 
model M, and -< for the corresponding strict relation. The above example shows 

It is easy to see that these models are all compositional: in all the semantic equations, the presence 
of a trace from Obs n in a composite process is always implied by the presence of traces from Obs n in 
the subcomponents. It is important, here, that the number of consecutive offers is downwards-closed: 
the same result would not hold if we considered a model that includes exactly n offer actions between 
successive standard events, for in an interleaving P 1 1 1 Q, a sequence of n consecutive offers may be 
formed from k offers of P and n — k offers of Q. 
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In some cases, the semantic equations have to be adapted slightly to ensure the traces produced are 
indeed from Obs n , for example: 

traces A^n \P a \\b Qi = 

{tr \ 3tr P G traces A , n \P\ n (A 1 ")* , tr Q G traces Aj „ [Q] n (B 1 ")* • fr G (fr> || ?r e ) n Obs n }. 

(APiB) f 

The healthiness conditions need to be adapted slightly to reflect that only traces from Obs n are in- 
cluded. For example, condition [4] becomes 
@J. tr^(a)^tr' G T A tr^(offera,a)^'tr' G 6>fc„ tr^(offera,a)~tr J G 7\ 

Finally, the full abstraction result still holds, but the tests need to be restricted to include at most n 
successive ready tests. And the no-junk result still holds. 

3.2 Availability sets 

The models we have considered so far have considered the availability of a single event at a time. If we 
consider the availability of a set of events, can we distinguish more processes? The answer turns out 
to be yes, but only with processes that can either diverge or that exhibit unbounded nondeterminism (a 
result which was surprising to me). 

We will consider actions of the form offer A, where A is a set of events, representing that all the events 
in A are simultaneously available. We can adapt the derived operational semantics appropriately: 

fApg P-^Q, foraGlU{T}, 

For convenience, we define 

A n = A U {offer B \ B G PA}. 

Traces will then be from We can extract traces of this form from the derived operational semantics 

as in Definition Q] (writing i — y-p and ==^p for the corresponding relations). 

We call this model the Availability Sets Traces Model, and will sometimes refer to the previous 
model as the Singleton Availability Traces Model, in order to emphasise the difference. 
Definition 14 The Availability Sets Traces Model £/ ¥ contains those sets T C (£ Pt )* that satisfy the 
following conditions. 

1. T is non-empty and prefix-closed. 

2. offer actions can always be removed from or duplicated within a trace: 

tr" (offer A)"tr G T tr" (offer A, offer A)"tr' G T A tr"tr G T. 

3. If a process can offer an event it can perform it: tr" (offer A) G T =>■ Va G A • tr" (a) G T. 

4. If a process can perform an event it can first offer it: 

fr"(fl)Ver => tr"(offer{a},a)"tr' GT. 

5. The offers of a process are subset-closed 

tr" (offer AY tr G T A B C A tr" (offer 5)" V G T. 

6. Processes can always offer the empty set tr"tr' G T => tr" (offer {})"tr' G T. 
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Lemma 15 For all processes P, {tr | P =>p} is an element of the Availability Sets Traces Model. 

Compositional semantics We give below semantic equations for the Availability Sets Traces Model. 
Most of the clauses are straightforward adaptations of the corresponding clauses in the Singleton Avail- 
ability Traces Model. 

1 1 IP 1 1 IP / 

For the parallel operators and external choice, we define an operator || such that tr \\ tr gives all 

x x 

traces resulting from traces tr and tr' , synchronising on events and offers of events fromZ. The definition 
is omitted due to space restrictions. 

For relational renaming, we lift the renaming to apply to offer actions, by forming the subset-closure 
of the relational image: 

{offer A) R {offer B) Mb G B . 3a G A • aRb. 

We again lift it to traces pointwise. 

The semantic clauses are as follows. 

traces^ [STOP] = traces^ [divj = {offer {})* , 

traces^ [a ->■ P] = InitU{tr^ (a)^tr' \ tr G Init A tr' G traces^ [P]}, 
where Init = {offer {}, offer {a}}* , 

traces^ [[P > Q\ = traces^ [Pj U {tr P ^tr Q \ tr P G traces^ [P] A tr P \ £ = () A tr Q G traces^ {Q\}, 

traces^ [P n Q\ = traces^ [P] U traces^ {Qj , 

traces^ [P □ Q\ = 

{tr | 3tr P G fracas^ [P],*r Q G fraces^ [[gj • tr P \ £ = ?r e f E = () A ?r G fr> || P tr Q } U 

{} 

{?r^(a)^?rp | 3tr P ^ (a)^tr' p G fraces^ [Pj,fr G G traces^ {Qj • 

fr P fI = fr e fE=()AflGlAfrGfr P || P tr Q } U 

{} 

{tr^{a)^tr 1 Q | 3tr P G fracas^ [P],fr G ^(a)^r^ G fracey^ [(2J • 

\ E = ?r G f £ = () A a G £ A G tr P \\ tr Q }, 

{} 

traces^ \P A \\ B Q\ = {tr \3tr P £ traces^ [Pj n (A Pt )* , tr Q G rracesj \Q\ n (P Pt )* • ?r G ?r P || P ?r e }, 

ADB 

traces^ IP \\\ Q\ = {tr\ 3 tr P e trace s ¥ A lP\tr Q e trace s ¥ A lQ\» tr ^ tr P \\ F tr Q }, 

{} 

traces^ [P \ Aj = {tr P \ A \ tr P G froc«^ l p i A V * * in tr P =>X(~)A = {}}, 

rraces£ [P[/?H = {?r | 3tr P G traces^ [P] • tr P Rtr}, 

traces A [juX • P(X)J = the C -least fixed point of the semantic mapping corresponding to F. 

Theorem 16 The semantics is congruent to the operational semantics: tr G traces A [P] iff P ==>p . 

Full abstraction In order to prove a full abstraction result, we extend our class of tests to include a test 
of the form ready A &P, which tests whether all the events in A are available, and if so acts like the test T. 
Formally, this test is captured by the following rule. 

P°^P 

readyA&r||P-^r||P 
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Given tr G (Z 1 ^)*, we can construct a test T tr that detects the trace tr as follows. 

Tq = SUCCESS 
T{ a )~tr = a^T tr 
7 \offer A)~tr = readyA & T tr 

The full abstraction proof then proceeds precisely as in Section [2] 

We can prove a no-junk result as in Section [2] Given trace tr, we can construct a process P tr as 
follows: 

P {) = STOP, 

P(a)~tr = a -> P^, 
P (offerA)~tr = (?« : A — >■ div) > P, r . 

Then the traces of P tr are just tr and those traces implied from tr by the healthiness conditions. 
Again, given an element T from the Availability Sets Traces Model, we can define P = \~\ tr ^ T P tr ; then 
traces^ [Pj = T. 

Distinguishing power We now consider the extent to which the Availability Sets Model can distinguish 
processes that the Singleton Availability Model can't. 

Example 17 The Availability Sets Traces Model distinguishes the processes 

P = a STOP Ob—t STOP, 

Q = {a^STOPUb^STOP)\>Q, 

since just P has the trace (offer {a, b}). However, these are equivalent in the Singleton Availability Traces 
Model; in particular, both can perform arbitrary sequences of offer a and offer b actions initially. 

The process Q above can diverge (i.e., perform an infinite number of internal X events corresponding to 
timeouts). We can obtain a similar effect without divergence, but using unbounded nondeterminism. 

Example 18 Consider 

<2o = STOP, 
Q n+l = (a^STOPnb^STOP)t>Q„, 

Q' = n neN Q n . 

Then P (from the previous example) and Q' are distinguished in the Availability Sets Traces Model but 
not the Singleton Availability Traces Model. 

For finitely nondeterministic, non-divergent processes, it is enough to consider the availability of 
only finite sets, since such a process can offer an infinite set A iff and only if it can offer all its finite sub- 
sets. However, for infinitely nondeterministic processes, one can make more distinctions by considering 
infinite sets. 

Example 19 Let A be an infinite set of events. Consider the processes 

la : A -> STOP and U beA la : A - {b} -> STOP 
Then these have the same finite availability sets, but just the former has all of A available. 
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Proposition 20 If P and Q are non-divergent, finitely nondeterministic processes, that are equivalent in 
the Singleton Availability Model, then they are equivalent in the Availability Sets Model. 

Proof: Suppose, for a contradiction, that P and Q are non-divergent and finitely deterministic, are equiv- 
alent in the Singleton Availability Model, but are distinguished in the Availability Set Model. Then, 
without loss of generality, there are traces tr and tr' , and set of events A such that tr"' (offer A}"~ tr' is a 
trace of P but not of Q. By the discussion in the previous paragraph, we may assume, without loss of 
generality, that A is finite, say A = {ci\,. . . ,a n }. Since Q is non-divergent and finitely-nondeterministic, 
there is some bound, k say, on the number of consecutive z events that it can perform after tr. Since 
P can offer all of A after tr, it can also offer any individual events from A, sequentially, in an arbitrary 
order. In particular, it has the singleton availability trace 

tr"~ (offer a i , . . . , offer a n ) k+ 1 ~ tr . 

Since P and Q are, by assumption, equivalent in the Singleton Availability model, Q also has this trace. 
Q must perform at most k z events within the sub-trace (offer a.\,. . . , offer a n ) + . This tells us that there 
is a sub-trace within that, of length n, containing no z events. Within this sub-trace there are no state 
changes (i.e., there are only self-loops corresponding to the offer actions), and so all the a,- are offered in 
the same state. Hence tr" " (offer A)" "tr' is an availability set trace of Q, giving a contradiction. □ 

Bounded sets We can consider some variants on the Availability Sets Traces Model. 

First, let us consider the model £/ k that places a limit of size k upon availability sets. It is reasonable 
straightforward to produce compositional semantics for such models, and to adapt the full abstraction 
and no-junk results. It is perhaps surprising that such a semantics is compositional, since a similar result 
does not hold for stable failures [ Q (although it is conjectured in [ 15 ] that this does hold for acceptances). 

Clearly, s/ 1 = stf, and £/° = (the standard traces model). Examples [TTI and [T8l show that .saf 2 is 
finer that We can generalise those examples to show that each model &/ k is finer than s/ k ~ l . 

Example 21 Let At be a set of size k. Consider 

P k = la : A k -> STOP, 

= n beAk (7a:A k -{b}^STOP)>Q k . 

Then P k and Q k are distinguished in srf k since only P k has the trace (offer A k ). However they are equiva- 
lent in £f k ~ l : in particular, both can initially perform any trace of offers of size k— 1. 

The limit of the models £/ k considers arbitrary finite availability sets; we term this £/ ¥ . The model 
£/ F distinguishes the processes P k and Q k from Example |2T1 for all k, so is finer than each of the models 
with bounded availability sets. As shown by Example [T9l si is coarser than £/ F . 

In fact, for an arbitrary infinite cardinal K, we can consider the model £/ K that places a limit of 
size k upon availability sets. Example [19] showed that considering finite availability sets distinguishes 
fewer processes than allowing infinite availability sets, i.e. s/ ¥ -< s/ K . The following example shows 
that the models become finer as K increases. 

Example 22 Pick an infinite cardinal fc, and pick alphabet £ such that card(L) ^ K. Then the processes 

Q* = n ACZ,W(A)<^ :A ^ 5TOP 
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are distinguished by the model g/ K , since only P K can offer sets of size K. However, for A < fc, they are 
not distinguished by the model si*", for example, if P K has the trace (offer Ai,. . . ,offerA n ) in srf*- , then 
card(Ai) ^ A < fc, for each i; but also A = U" =1 A; has card(A) ^ X < K, so Q K can perform this trace 
by picking A in the nondeterministic choice. 

(In fact, this example shows that these models — like the cardinals — form a proper class, rather than a 
set!) In most applications, the alphabet £ is countable; these models then coincide for processes with 
such an alphabet. The model j# p distinguishes the processes P K and Q K from Example l22l for all fc, so 
is finer than each of the models £/ K . 
Summarising: 

3.3 Combining the variations 

We can combine the ideas from S ections [37X1 and [Ol to produce a family of models s$ , where: 

• fe is either a natural number k or infinite cardinal fc, indicating an upper bound on the size of 
availability sets, or the symbol F indicating arbitrary finite availability sets are allowed, or the 
symbol P indicating arbitrary availability sets are allowed; 

• a is either a natural number n, indicating an upper bound on the number of availability sets between 
successive standard events, or the symbol F indicating any finite number is allowed. 

If ft = or n = then s$ is just the standard traces model. Further, srf$ = jz^ 1 and ^ = s^. 

We can show that this family is ordered as the natural extension of the earlier (one-parameter) fami- 
lies; the relationship between the models is illustrated in Figured] In particular, these models are distinct 
for it, ft ^ 0. We can re-use several of the earlier examples to this end. Example [13] shows that for 
each ft 7^ 

S$ -< S*f -< £?2 -< ■ ■ ■ -< 

The following example generalises Example |2T] 

Example 23 Let n and k be positive natural numbers. Let A be a set of size nxk+l. Consider 

P = la : A -> STOP, 

Q = n BGA la:B^STOP. 

Let Ai, . . . ,A„, {a} be a partition of A, where each A; is of size k. Then (offer Ai, . . . ,offerA n ,a) is a trace 
of P but not of <2, so these processes are distinguished by ^ . However, the two processes are equivalent 
in Hence -< Further, srfj distinguishes these processes, for all (finite) n and k, so 

Example [T9lshows that -< gf^ for each infinite cardinal K and for each it. Further, Example |22] shows 
that if A < K are two infinite cardinals, then £/ n ~< g/^ -< ^ . 

4 Discussion 

Simulation and model checking The models described in this paper are not supported by the model 
checker FDR 112] l2l. However, it is possible to simulate the semantics, using a fresh event offer A to 
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Figure 1 : The hierarchy of models 



simulate the action offer A. For example, P = a — > STOP □ & — > STOP would be simulated by 

P sim = a -> STOP,™ □ Z? -> STOP,™ □ of f er?A : P({a, £}) -»■ Pj, m , 
STOP,™ = offer.{}^5TOP 17m . 

This simulation process, then, has the same traces as the original process in the Availability Sets 
Model, but with each offer A action replaced by of f er.A. The semantics in each of the other models can 
be obtained by restricting the size or number of of f er events. 

In (16"], Roscoe shows that any operational semantics that is CSP-like, in a certain sense, can be 
simulated using standard CSP operators. One can define the operational semantics of the corrent paper 
in a way that makes them CSP-like, in this sense. Roscoe's simulation is supported by a tool by Gibson- 
Robinson [3], which has been used to automate the simulation of the Singleton Availability Model and 
Availability Sets Model. This opens up the possibility of using FDR to perform analyses in these models. 

Related and further models In 031 . Roscoe investigates the hierarchy of finite linear observation 
models of CSP. All of these models record availability or unavailability of events only in stable states 
(if at all), unlike the models of this paper. Example [3] shows that the Singleton Availability Model is 
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incomparable with the Stable Failures Model. In fact, this example shows that all of the models in this 
paper except the Traces Model are incomparable with all of the models in Roscoe's hierarchy except 
the Traces Model (so including the Ready Trace Model ifTTl and the Refusal Testing Model |9]); it is, 
perhaps, surprising that the hierarchies are so unrelated. 

We believe that we could easily adapt our models to extend any of the finite linear observation models 
from fl31 . so as to obtain a hierarchy similar to that in Figure [TJ in effect, the consideration of availability 
information is orthogonal to the finite linear observations hierarchy. Further, we have not considered 
divergences within this paper. We believe that it would be straightforward to extend this work with 
divergences, either building models that are divergence-strict (like the traditional Failures-Divergences 
Model (6l[T3l), or non-divergence-strict (like the model in [14J). 

In flS |U, van Glabbeek considers a hierarchy of different semantic models in the linear time- 
branching time spectrum. Several of the models correspond to standard finite linear observation models, 
discussed above. One other model of interest is simulation. 

Definition 24 [5] A simulation is a binary relation R on processes such that for all events a, if PRQ and 
P — > P , then for some Q', Q-^Q' and P'RQ'. Process P can be simulated by Q, denoted P — > Q if 
there is a simulation R with PRQ. P and Q are similar if P Q and Q -5- P. 

C tr tr 

If P — > Q and P i — > P then one can show that Q i — > F , by induction on the length of tr. Hence if P and Q 
are similar, they are equivalent in the Availability Sets Traces Model, and hence all our other models. 
Simulation is strictly finer than our models, since it distinguishes a — > b — > c — > STOP □ a — > b — > d — > 
STOP and a ->• (b ->• c -> STOP Ub^d^ STOP), for example. 

A further possible class of models that we hope to investigate would record events that were available 
as alternatives to the events that were actually performed, and that were available from the same state as 
the events that were performed. For example, such a model would distinguish 

P = a ->c-> STOP Db-> STOP 

Q = (a->STOPab->STOP)>a->c->STOP, 

since P can perform (a,c), with b available from the state where a was performed; but Q does not have 
such a behaviour. Note that these two processes are equivalent in all the other availability models in this 
paper. 

Two further possible directions in which this work could be extended would be (A) to record what 
events are not available, or (B) to record the complete set of events that are available. We see considerable 
difficulties in producing such models. To see why, consider the process a—±P. There are two different 
ways of viewing this process (which amount to different operational semantics for this process): 

• One view is that the event a becomes availability immediately. With this view: in model A, one 
cannot initially observe the unavailability of a; in model B, the initial complete availability set 
is {a}. However, under this view, the fixed point theory does not work as required, since div is not 
the bottom element of the subset ordering: in model A, div has a initially unavailable; in model B, 
div's initial complete availability set is {}; these are both behaviours not exhibited by a — > P. 
Further, under this view, nondeterminism is not idempotent, since, for example, a — > P l~l a — > P 
has a unavailable initially; one consequence is that the proof of the no-junk result cannot be easily 
adapted to this view. 

• The other view is that a — > P takes some time to make the event a available: initially a is unavail- 
able, but an internal state change occurs to make a available. With this view: in model A, one 
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can initially observe the unavailability of a; in model B, the initial complete availability set is {}. 
However, under this view, it turns out that the state of a — > P after the a has become available 
cannot be expressed in the syntax of the language; this means that the proof of the no-junk result 
cannot be easily adapted to this view. (Proving a full abstraction result is straightforward, though.) 

As noted in the introduction, in we considered models for an extended version of CSP with a 
construct "if ready a then P else Q". This construct tests whether or not its environment offers a, so the 
model has much in common with model A above (and was built following the second view). As such, 
it did not have a no-junk result. Further, it did not have a full abstraction result, since it distinguished 
if readya then P else P and P, but no reasonable test would distinguish these processes. 
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